Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Jose Nazario (josebiocserver.BIOC.cwru.edu)
Date: Mon May 14 2001 - 12:42:16 CDT
On Mon, 14 May 2001, Bob Johnson wrote:
> Don't know if you ever figured this out. The only place I've ever
> seen port 8 used is a Telocity DSL modem in a friend's office.
> Mikael Fors wrote:
> > May 9 10:03:36 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1 a.b.c.d:8 192.168.22.2:0 L=60 S=0x00 I=29112 F=0x0000 T=126 (#24)
that logline should tell you everything you need to know. its a
deficiency, however, of the logging that is causing your confusion.
from /etc/protocols (and the IANA list)
icmp 1 ICMP # internet control message protocol
so ... PROTO=1 means 'ICMP'.
now for the 'port 8' (from a.b.c.d:8 in the logfile), this is the
deficiency: ICMP doesn't use ports, it uses types an codes. so, you saw an
ICMP type 8 is 'echo request', aka our friend 'ping'.
as such, it looks like someone was pinging you. there are a variety of
legit reasons why someone could be pinging you, including napster (uses it
to get latencies and estimated bandwidth between the two endpoints of a
connection), and gaming. the frequency doesn't appear to be anything
special, so i wouldn't presume a DoS attempt.
figure 6.3 of stevens' 'TCP/IP Illustrated Vol 1' should be useful here.
the main culprit is the crappy mistake in the logging. whoever hacked it
together (the code) needs to be beaten with a blunt object for only
thinking about protocols 6 and 17 (UDP and TCP). other protocols usually
get barfed on as well for 'port numbers', especially when the concept of a
port is absent in the protocol definition.
hope this helps,
jose nazario josecwru.edu
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)